It’s not a trivial task, and the only reason I mentioned it is because there are other products that can simplify what you’re wanting or even make it irrelevant. LEM comes to mind immediately. I doubt that this functionality will ever be added as a configurable portion of Kiwi, but if that’s all you have and that’s what you’re going to use, then it is possible it just takes a lot more effort than configuring a significantly more expensive product to do it for you.
I’ve done it a few different ways depending on what I needed, but there is really no example that you can easily modify to fit your requirements. Writing a script to do this requires knowledge of your devices what logs you want to correlate within devices and between devices and under what circumstances you want to correlate them.
Also, If you want to do this strictly via Kiwi then I would only suggest doing it if your traffic is fairly minimal. I process about 300k messages per hour which isn’t much compared to many users that post here, so I can afford to increase my script execution time-out to 30 seconds if I need to and script database queries right out of Kiwi for most devices. But for my firewalls which generate a good portion of that traffic and tend to have a significantly larger db table, I script this directly in the database engine via stored procedures and just execute external scripts to make things happen so Kiwi can continue processing messages.